Session 504 - HCCA Official Site

3/3/2017

1

www.pwc.com

Medical device security –The transition from patient privacy to patient safety

Scott Erven

PwC | Medical device security – The transition from patient privacy to patient safety

Who i am

2

Scott Erven - Managing Director – Healthcare Industries Advisory – Cybersecurity & Privacy

Medical Device Security Lead For PwC

Over 5 Years Leading Medical Device Security Research

Over 15 Years IT Security Experience

Over 5 Years Managing Security For Healthcare Systems & Providers


What we’ll be covering today

3

Why medical device security matters.

Vulnerabilities inside the medical device security landscape.

Are attacks a reality?

Diagnosis and problem awareness.4

1

2

3

Treatment plans.5

3/3/2017

2


Why medical device security matters

4


Personal impact

5

When we are at our most vulnerable, we will depend on these devices for life.

Even at times when we aren’t personally affected, people we care about may be.

Many of us rely on thesedevices daily.


Malicious intent is not a prerequisite to patient safety issues

6

3/3/2017

3


Research – Device vulnerabilities

7


Device vulnerabilities

8

Weak default/hardcoded administrative credentials

• Treatment modification

• Cannot attribute action to individual

Known software vulnerabilities in existing and new devices

• Reliability and stability issues

• Increased deployment cost to preserve patient safety

Unencrypted data transmission and service authorization flaws

• Healthcare record privacy and integrity

• Treatment modification


Research– Internet exposure

9

3/3/2017

4


Shodan search initial findings

10

Doing a search for anesthesia in Shodan and realized it was not an anesthesia workstation.

Located a public facing system with the Server Message Block (SMB) service open, and it was leaking intelligence about the healthcare organization’s entire network including medical devices.


Initial healthcare organization discovery

11

Very large U.S. based healthcare system consisting of over 12,000 employees and over 3,000 physicians. Including large cardiovascular and neuroscience institutions.

Exposed intelligence on over 68,000 systems and provided direct attack vector to the systems.

Exposed numerous connected third-party organizations and healthcare systems.


Did we only find one?

12

No. We found hundreds!!

Change the search term and many more come up. Potentially thousands if you include exposed third-party healthcare systems.

3/3/2017

5


Let me paint the picture

13

Impact: System May Not Require Login

Impact:Electronic Medical Record Systems


Getting a little warmer!

14

Impact:Pediatric Nuclear MedicineAnesthesia Systems


Summary of devices inside organization

15

Anesthesia Systems – 21

Cardiology Systems – 488

Infusion Systems – 133

MRI – 97

PACS Systems – 323

Nuclear Medicine Systems – 67

3/3/2017

6


Potential attacks – Physical

16

We know what type of systems and medical devices are inside the organization.

We know the healthcare organization and location.

We know the floor and office number.

We know if it has a lockout exemption.


Potential attacks – Phishing/Pivot

17

We know what type of systems and medical devices are inside the organization.

We know the healthcare organization andemployee names.

We know the direct public Internet facing system is vulnerable to MS08-067 and is Windows XP. We know the hostname of all these devices.

We can create a custom payload to only target medical devices and systems with known vulnerabilities.


Are attacks a reality?

18

3/3/2017

7


Real world attacks – Honeypot research

19

Using known default login information for remote access?

Leveraging existing exploits for remote command execution?

Custom malware?

Malicious intent to interfere with the device (or worse, someone using the device)?

Campaigns against specific vendor devices?

What we were looking for…


Real world attacks – The data

20

Data

Honeypots 10

Successful logins (SSH/Web): 55,416

Successful exploits (Majority is MS08-067) 24

Dropped malware samples 299

Top 3 Source Countries Netherlands, China, South Korea

HoneyCreds login 8

HoneyCred logins are unique to the honeypot ssh/web service, someone did some research.


Real world attacks – Conclusion

21

What did the attacker do once he got in? Nothing

Did they realize they had root on a MRI machine? Probably not

Are there compromised medical devices calling back to a command and control server?

Absolutely

Did the command and control owners know what the information they are sitting on?

Didn’t appear so

3/3/2017

8


Problem awareness

22


Problem awareness

23

Medical devices are increasingly accessible due to the natureof healthcare1

HIPAA focuses on patient privacy, not patient safety.2

U.S. Food and Drug Administration does not validate cyber safety controls. 3

Malicious intent is not a prerequisite for adverse patient outcomes.4


Technical properties

24

• All software has flaws.

• Connectivity increases potential interactions.

• A software-driven, connected medical device is a vulnerable, exposed one.

Lack of patient safety alignment in medical device cyber security practices

Exposed, vulnerable systems

3/3/2017

9


A brief history of United States Food and Drug Administration (U.S. FDA) and medical device cybersecurity

FDA issues general warning on device cybersecurity based on “known vulnerabilities”

FDA issues draft guidance on

medical device cybersecurity

FDA releases final guidance on cybersecurity for networked medical

devices containing off-the-shelf software

January 2005

FDA issues first-ever warning about cybersecurity vulnerability of a device

FDA issues its final guidance document on including medical device cybersecurity

information in premarket applications

President Obama issues executive order on improving infrastructure cybersecurity

February 2013

June 2013June 2013

October 2014July 2015

FDA issues draft guidance document on post-approved monitoring of medical device cybersecurity

January 2016

December 2016

FDA issues final guidance document on post-approved monitoring and

remediation of medical device cybersecurity

25


U.S. FDA premarket guidance for medical device cybersecurity

U.S. FDA asks that cybersecurity information be submitted as part of a device’s application for approval, including:

• Hazard analysis of cyber risks

• Controls to mitigate specific risks

• A plan of how to patch devices

• Controls to maintain device integrity

• Instructions on how to use related controls like antivirus software

26


U.S. FDA’s post-market guidance for medical device cybersecurity

27

U.S. FDA highlights if the following criteria are met they will not enforce 806 reporting requirements:

1.) No serious adverse events are known to have

been caused by the vulnerability

2.) Fixes are made and users are notified within 60 days (Two 30 Day Periods Defined In

Requirements) of the discovery of the vulnerability

3.) The manufacturer is a member of an Information Sharing Analysis Organization (ISAO) and

has a coordinated disclosure process

3/3/2017

10


Treatment plans

28


A shift in how we think about medical technologies

29

BeforeDevices are connected to

patients physically

Data obtained from devices are stored on paper or locally

Devices are physical products

Care is hand-administered at a health care location

Physical access is needed to view health data

NowDevices are connected wirelessly to patients and other devices

Data obtained from devices are stored in the cloud

Devices include software and even databases of health information

Care is available to patients in the palm of their hand through apps

Health data can be accessed anywhere on earth


A shift in how we think about regulating medical devicesTraditional considerations meet technology

30

Security Once a medical device is networked with other devices or the internet, is it still safe and effective?

QualityAfter approval, a device must be kept safe and effective through adherence to quality manufacturing standards established by FDA

Safety

Is a medical device safe for use in humans? Does it cause adverse events? Are its risks tolerable in relation to its benefits?

Efficacy Is a device effective for its given purpose? What is the magnitude of the effect? T

radit

ional

Evolv

ing

3/3/2017

11


Interaction with the broader industry is also core to developing an overarching threat landscape, responding to Cybersecurity events, and developing more secure devices.

Company

• Regulatory Requirements: Must be implemented, assess compliance annually

• Guidance: Assess new guidance regularly

• Notification: Receive notification of adverse events

Federal / State Government

• Guidance / Industry Thought Leadership : Evaluate credibility and relevance to product architecture and security

• Device Testing: Provide Security Testing and Certifications for new and existing devices

Research / Academia / Laboratories

•Intended Use: Follow implementation and maintenance guidance

•Requirements: Convey business and security requirements to partners

•Vulnerabilities: Report discovered issues

IoT Device Manufacturers

• Remain Vigilant: Assess security bulletins and security news daily for relevance

• Get Involved: Attend industry conferences and events

Informal Knowledge

•IoT Security Lessons/Case Studies: Interface with peers discuss best practices, vulnerabilities, as well as common issues and roadblocks

Partner / Peer Organizations

• Analyze Security: Review and validate vendor security practices

• Vulnerabilities: Report discovered issues

• Requirements: Convey business, security, and privacy requirements

Key Software & Service Vendors

Consortiums &

Information Sharing

and Analysis

Organizations

(ISAOs)

34


A security centric, risk based product development process is core to the deployment of a secure effective medical device…

02Protected Health Information Aware

Product design must be equipped with handling patient sensitive information to meet both HIPAA and U.S. FDA regulations.

04Product Safety

Product design must incorporate safety features that meet the regulatory requirements such as alarm systems to

protect users and patients from unanticipated adverse situations

Medical Device Development

Secure Product Architecture

Product design must protect the information & the device against any threats posed by

external circumstances or by other

connected devices.

03Risk Assessment and

ManagementProduct design must enable identification

and management of risk through the product development lifecycle.

01

32


To meet the current regulatory requirements and protect the device from cybersecurity attacks, it is critical to embed security within the lifecycle of the product and in risk management considerations…

Product DesignRequirements

ProductLaunch

Pre-market

Risk Management

Lifecycle

Inevitable need to explore unidentifiable

risks including foreseeable tampering

Established mechanism to feed post

market monitoring data into next-gen device design

Continuous compliance with HIPAA and

other privacy regulations

IT compliance function with expertise to

evaluate compliance with various regulations

Effective security and data standards with

an ability to rapidly respond to emerging threats

Risk Management Considerations

33

3/3/2017

12


Medical Device Cyber Security Approach

Preparation for regulatory audits and assess the health of the overall privacy and security programs

Comprehensive approach to identify and mitigate cybersecurity risks and evaluate the effectiveness of the Medical IoT cybersecurity program.

Develop the Medical IoT cybersecurity strategy in accordance with business, operational, risk and compliance needs. Design the program operating model, identify the resources to carry out the day to day activities and provide architecture and implementation support.

Strategy Execution, Design, and Implementation

Integrated Medical IoT and Enterprise Security Strategy

Medical IoTGovernance and Program

Development

Data Flow Mapping, Identification, Classification,

Use and Protection

Software/Systems Development Lifecycle (SDLC) Process

Enhancement

Control Profile DevelopmentMedical IoT Risk Management

Policy Development and Alignment

Medical IoT Vendor Risk Management

Medical IoT Incident Response Playbook Development

Information Risk and Incident Management

Mock Regulatory AuditsMedical IoT Cybersecurity Risk

AssessmentsRegulatory Framework

Alignment and ComplianceMedical IoT Risk Assessment

Process Development

Regulatory Compliance


Medical Device Cybersecurity Framework

Medical IoTSecurityProgram

Medical IoTGovernance

NetworkSecurity

MedicalIT-RiskMgmt.

AssetMgmt.

DeviceSecurity

ConfigurationMgmt.

1. Medical IoT Governance� Development of Governance Model with clearly

yeah established roles, responsibilities, and FTE� Information Sharing and Analysis Organization

(ISAO) Development and Participation

� Medical IoT Security Strategy� Medical IoT Risk Management Policy

� Medical IoT Minimum Security Baseline(MSB)

6. Asset Management� Device Inventory

� Device Attribute Collection� Asset Management Policy and

Process

� Secure Device Procurement Processes

5. Device Security� Medical IoT Device Encryption

� Secure Device Access Control and

Authentication

� Wireless Security Controls

2. Network Security� Network Segmentation and/or Network Access

Control (NAC) for critical medical IoT devices� Logging and Monitoring for Malicious Activity� Forensic Toolkit for Intrusion Analysis

� Secure Remote Access� Secure Medical IoT Device Network Architecture

3. Medical IT Risk Management� Medical IoT Device Vendor Risk

Management Program� Device Risk Profiling� Control Profile Development

� Secure Disposal Processes� Physical Device Security

� Device Risk Assessment Tool Development

4. Configuration Management� Patch Management Processes

� Software Version Control Processes� Change Management Processes� Logging and Monitoring for configuration

changes

The following diagram outlines the key components of a Medical Device Cybersecurity Framework, including roles and responsibilities for management of security risks:


Invest in personnel and processes

36

Companies should establish and support cybersecurity programs to support devices throughout their lifecycles

Established information-sharing processes –including ISAOs – may lead to more and better disclosures.

Cybersecurity experts should be hired or third-parties consulted to vet cybersecurity information.

Companies should consider how to best engage with the cybersecurity community as a strategic advantage.

3/3/2017

13


Support can lead to opportunity

37

Device companies can become essential partners to healthcare providers by helping them support and secure their devices and networks.

Device companies can benefit by giving providers a level of comfort and assurance about product security, potentially leading to increased sales, and insight into how their devices are used and misused, benefiting future device development.

Scott ErvenManaging Director, Healthcare CybersecurityE: [email protected]

Thank you

Contact

Documents

Session 504 - HCCA Official Site